Android Touch-Event Hijacking

With the recent release of Android 2.3 (Gingerbread), developers can now protect themselves from a new twist on an old bug: TapJacking. Like ClickJacking on the web, TapJacking occurs when a malicious application displays a fake user interface that seems like it can be interacted with, but actually passes interaction events such as finger taps to a hidden user interface behind it. Using this technique, an attacker could potentially trick a user into making purchases, clicking on ads, installing an application, granting permissions, or even wiping all of the data from their phone.

Earlier this year we contacted the Android Security Team at Google about the issue and they were able to build a fix into Android 2.3 (Gingerbread). In Android, an attacker is able to display the fake user interface by creating a customized notification (called a Toast) to obscure the real interface. To allow developers to protect their user interfaces from TapJacking, Android 2.3 added the ability for Views to prevent interaction events when they are obscured by another view.

Essentially, this makes a View only usable when it is visible, eliminating the possibility for a user to accidentally interact with a hidden View. The new feature for View objects can be used in two ways: by setting the filterTouchesWhenObscured property to true or by implementing the onFilterTouchEventForSecurity method. It’s important to remember that the new security features require developers to explicitly set them to protect from TapJacking.

How TapJacking works:
[vimeo]http://vimeo.com/17648348[/vimeo]

Read the complete article on The Lookout Blog

Related Posts

Spice up Ubuntu 10.10 desktop with Cairo-Dock Ubuntu 10.10, the latest edition of the popular Linux distribution, which was just reviewed here, ships with the same blank desktop that has come to i...
How to create MBR-based disk partitions for Antergos This tutorial provides a step-by-step guide on how to create MBR-based disk partitions for Antergos, using the latest edition of Cnchi, the Antergos g...
How to upgrade Fedora 20 Cinnamon to Fedora 21 Cinnamon FedUp (FEDora UPgrader) is the recommended tool for upgrading a recent Fedora installation. It's a very neat tool for upgrading a system and I think o...
Triple-boot Windows 7, Ubuntu 12.10 and Fedora 18 on one HDD To Triple-boot Windows 7, Ubuntu 12.10 and Fedora 18 on a single hard disk drive (HDD) presents a different set of challenges than dual-booting any tw...
Dual-boot Windows 7 and Ubuntu 12.04 on a PC with UEFI board, SSD and HDD How to dual-boot Ubuntu 12.04 and Windows 7 and how to dual-boot Ubuntu 12.04 and Windows 7 on a computer with 2 hard drive provided step-by-step guid...
Installing BackTrack 5 R2 GNOME BackTrack Linux is now known as Kali Linux. You may read all Kali Linux articles and tutorial at http://linuxbsdos.com/category/kali-linux. BackT...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at ContainerizeThis.com

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


Leave a Comment

Your email address will not be published. Required fields are marked *

*